Media Coverage Archive

Friday | December 23, 2016

Apple’s App Transport Security extension should concern IT

CIO | By Matt Kapko – Apple backtracked on its ‘App Transport Security’ mandate, which would require all iOS apps to use secure network connections by 2017. The decision could affect CIOs and mobile administrators.

When Apple in July announced it would require all iOS apps to use a technology called “App Transport Security” by the start of 2017, the move was widely regarded as a positive one for user privacy. Now, just barely a week before the deadline, Apple pulled back and extended the deadline indefinitely. The requirement, if implemented, would fill a significant security hole on iOS devices, according to experts.

Apple takes a strong and public position in favor of protecting its users’ privacy. The highest profile example of this is perhaps the company’s standoff in January with the FBI over its insistence that data be encrypted on iOS devices at rest, regardless of the owner or reasons for a government’s requests to override those protections. (In that case, the intelligence agency wanted access to an alleged terrorist’s personal device to scrape it for evidence and other information).

What is App Transport Security?

App Transport Security requires mobile apps to encrypt data in transit using HTTPS, thereby encrypting all data that is transported across the network via iOS devices, according to Robbie Forkish, vice president of engineering at Appthority, a mobile risk analysis firm that also sells assessment services for mobile devices, apps and APIs.

“To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed,” Apple wrote Wednesday evening in a brief note to developers.

The company originally introduced App Transport Security in iOS 9 in September 2015 but uptake has been tepid. Appthority earlier this month concluded in a report that just 3 percent of the top 200 iOS apps installed on enterprise devices worldwide meet Apple’s security mandate. During the three weeks since that research was published, four additional apps added support for App Transport Security. “That takes the percentage from 3 percent to 5 percent,” Forkish says. “Obviously there’s a huge gap between having all the apps comply.”

Why Apple wants stronger iOS app encryption

Apple is pushing for the security tech to be adopted throughout the app ecosystem, following a trend that began a few years ago when HTTPS became the default in browsers, according to Forkish. “An increasing number of percentages across the web are now fully encrypted end to end,” he says. “There’s this gap where the majority of apps, in communicating with their backend servers, do so unencrypted. That kind of stands out now as an insecure part of the overall ecosystem.”

Enterprises should be concerned about this gap in security, and CIOs who have relied on Apple to provide necessary security are realizing that strategy is no longer viable, if it ever was, according to Forkish. CIOs need to be aware of the apps that don’t support App Transport Security and seek out alternatives that provide the same productivity functions but in a more secure manner, he says.

“It’s hard to know why developers did not meet this deadline. There certainly was adequate time,” he says. “The fact that they haven’t announced a new date suggests to me that it’s probably not in the next six months.”

Forkish speculates that one of the problems could be a lack of security skills among iOS developers, who are more likely pressured to focus on time-to-market, size of the addressable market and quantifying the features of their apps compared to competitors’ offerings. “Security may not be a concept that app developers, by and large, are familiar with,” he says. “It wasn’t an oppressive development challenge to implement App Transport Security.”

With no further explanation from Apple, the extension should also give enterprises cause for concern, according to Forkish. CIOs need to better understand how apps come to be in enterprise environments, as well as the different participants involved, he says. “A lot of CIOs are thinking more in terms of trust than just security, and if you can’t trust that supply chain for your global apps then you really need to take steps to make sure you know how to separate the wheat from the chaff, so to speak.”